All consultantsbelong to a global groupnamed TempWorkers.
You place three file serversin a new organizational unitnamed SecureServers.
The three file servers contain confidential datalocated in shared folders.
You need to record any failed attempts made by the consultants to access the confidential data.
Which two actions should you perform?
(Each correct answer presents part of the solution. Choose two.)
A.
Create and link a new GPO to the SecureServers organizational unit. Configure the Deny access to this
computer from the network user rights setting for the TempWorkers global group.
B.
Create and link a new GPO to the SecureServers organizational unit. Configure the Audit privilege use
Failure audit policy setting.
C.
Create and link a new GPO to the SecureServers organizational unit. Configure the Audit object access
Failure audit policy setting.
D.
On each shared folder on the three file servers, add the three servers to the Auditing tab. Configure the
Failed Full control setting in the Auditing Entry dialog box.
E.
On each shared folder on the three file servers, add the TempWorkers global group to the Auditing tab.
Configure the Failed Full control setting in the Auditing Entry dialog box.
Explanation:
Answer.On each shared folder on the three file servers, add the TempWorkers global group to the Auditing
tab. Configure the Failed Full control setting in the Auditing Entry dialog box.
Create and link a new GPO to the SecureServers organizational unit. Configure the Audit object
access Failure audit policy setting.
http://technet.microsoft.com/en-us/library/cc771070.aspx
Apply or Modify Auditing Policy Settings for a Local File or Folder
You can apply audit policies to individual files and folders on your computer by setting the permission type to
record successful access attempts or failed access attempts in the security log.
..
To apply or modify auditing policy settings for a local file or folder
1. Open Windows Explorer.
2. Right-click the file or folder that you want to audit, click Properties, and then click the Securitytab.
3. Click Edit, and then click Advanced.
4. In the Advanced Security Settings for <object> dialog box, click the Auditing tab.
..
7. In the Access box, indicate what actions you want to audit by selecting the appropriate check boxes:
..
* To audit unsuccessful events, select the Failed check box.
..
…
http://technet.microsoft.com/en-us/library/cc776774%28v=ws.10%29.aspx
Audit object access
Description
This security setting determines whether to audit the event of a user accessing an object–for example, a
file, folder, registry key, printer, and so forth–that has itsown system access control list (SACL) specified.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the
event type at all.
Success audits generate an audit entry when a user successfully accesses an object that has an appropriate
SACL specified.
Failure audits generate an audit entry when a user unsuccessfully attempts to access an object that has a
SACL specified.
Further information:
Practically the same as J/Q5.
Reference:
Windows Server 2008 R2 Unleashed (SAMS, 2010)
page 671
Auditing Resource Access
Object access can be audited, although it is not one of the recommended settings. Auditing object access can
place a significant load on the servers, so it should only be enabled when it is specifically needed. Auditing
object access is a two-step process: Step one is enabling “Audit object access”and step two is selecting the
objects to be audited. When enabling Audit object access, you need to decide if both failure and success
events will be logged. The two options are as follows:
Audit object access failureenables you to see if users are attempting to access objects to which they
have no rights. This shows unauthorized attempts.
Audit object access successenables you to see usage patterns. This shows misuse of privilege.
After object access auditing is enabled, you can easily monitor access to resources such as folders, files, and
printers.
Auditing Files and Folders
The network administrator can tailor the way Windows Server 2008 R2 audits files and folders through the
property pages for those files or folders. Keep in mind that the more files and folders that are audited, the more
events that can be generated, which can increase administrative overhead and system resource requirements.
Therefore, choose wisely which files and folders toaudit. To audit a file or folder, do the following:
1. In Windows Explorer, right-click the file or folder to audit and select Properties.
2. Select the Security tab and then click the Advanced button.
3. In the Advanced Security Settings window, select theAuditing taband click the Edit button.
4. Click the Add button to display the Select User or Group window.
5. Enter the name of the user or group to audit when accessing the file or folder. Click the Check Names
button to verify the name.